steveloughran commented on a change in pull request #970: HADOOP-16371: Option to disable GCM for SSL connections when running on Java 8 URL: https://github.com/apache/hadoop/pull/970#discussion_r295217064
########## File path: hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/performance.md ########## @@ -516,3 +516,29 @@ With an object store this is slow, and may cause problems if the caller expects an immediate response. For example, a thread may block so long that other liveness checks start to fail. Consider spawning off an executor thread to do these background cleanup operations. + +## <a name="coding"></a> Tuning SSL Performance + +By default, S3A uses HTTPS to communicate with S3. This means that all +communication with S3 is encrypted using SSL. The overhead of this encryption +can significantly slow down applications. The configuration option +`fs.s3a.ssl.channel.mode` allows applications to trigger certain SSL +optimizations. + +By default, `fs.s3a.ssl.channel.mode` is set to `Default_JSSE`, which uses +the Java Secure Socket Extension implementation of SSL (this is the default +implementation when running Java). However, there is one difference, the GCM +cipher is removed from the list of enabled cipher suites when running on Java 8. +The GCM cipher has known performance issues when running on Java 8, see +HADOOP-15669 and HADOOP-16050 for details. It is important to note that the +GCM cipher is only disabled on Java 8. GCM performance has been improved +in Java 9, so if `Default_JSSE` is specified and applications run on Java +9, they should see no difference compared to running with the vanilla JSSE. + +Other options for `fs.s3a.ssl.channel.mode` include `DEFAULT_JSSE_WITH_GCM`. +This option includes GCM in the list of cipher suites on Java 8, so it is +equivalent to running with the vanilla JSSE. The naming convention is setup +in order to preserve backwards compatibility with HADOOP-15669. + Review comment: Proposed: add a markdown table of meanings , plus the XML config snippets for people to copy and paste into their own site configs. Doing that makes it easier for people to understand what is on offer and to easily switch between them. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
